V8.13.392.2025.11.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-07 17:12:52 +01:00
parent 4e5bc1aa84
commit 051361abbb
79 changed files with 359 additions and 160 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.384.2025.11.06\e[0m")
+$(echo -e "\e[92mMaster V8.13.392.2025.11.07\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.384.2025.11.06
+# Version Master V8.13.392.2025.11.07
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.384.2025.11.06
+# Version Master V8.13.392.2025.11.07
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.384.2025.11.06
+# Version Master V8.13.392.2025.11.07
 name: 💙 Generating a PUBLIC Live ISO.
--- a/.archive/lib_lb_config_write.sh
+++ b/.archive/lib_lb_config_write.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Wrapper to write a new 'lb config' environment.
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.384.2025.11.06"
+      placeholder: "e.g., Master V8.13.392.2025.11.07"
    validations:
      required: true
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.384.2025.11.06
+# Version Master V8.13.392.2025.11.07
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.384.2025.11.06
+# Version Master V8.13.392.2025.11.07
 name: 🔁 Render README.md to README.html.
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.384.2025.11.06
+  version: V8.13.392.2025.11.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.384.2025.11.06
+  version: V8.13.392.2025.11.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.384.2025.11.06
+# Version Master V8.13.392.2025.11.07
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.384.2025.11.06
+# Version Master V8.13.392.2025.11.07
 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.384.2025.11.06
+# Version Master V8.13.392.2025.11.07
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.384.2025.11.06
+# Version Master V8.13.392.2025.11.07
 name: 🔁 Render Graphviz Diagrams.
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.384.2025.11.06"
+properties_version="V8.13.392.2025.11.07"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.384.2025.11.06
+PackageVersion: Master V8.13.392.2025.11.07
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.384.2025.11.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.392.2025.11.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -152,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.384.2025.11.06`
+Example: `V8.13.392.2025.11.07`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2.1. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.384.2025.11.06** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.392.2025.11.07** (as of 2025-10-11)
 ## 2.2. Top-Level Layout
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -102,6 +102,9 @@ for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ;
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 ### CHECKING REQUIRED PACKAGES.
 check_pkgs
 ### ALL CHECKS DONE. READY TO START THE SCRIPT.
 find "${VAR_TMP_SECRET}" -type f -exec chmod 0400 {} +
 declare -grx VAR_SETUP="true"
@@ -166,22 +169,16 @@ fi
 for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
 for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
 ### CHECKING REQUIRED PACKAGES.
 check_pkgs
 ### DIALOG OUTPUT FOR INITIALIZATION.
 if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
-trap 'trap_on_exit "$?"' EXIT
+trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
 trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 ### Updating Status of Dialog Gauge Bar.
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.384.2025.11.06
+# Version Master V8.13.392.2025.11.07
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.384.2025.11.06
+# Version Master V8.13.392.2025.11.07
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.384.2025.11.06
+# Version Master V8.13.392.2025.11.07
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.384.2025.11.06"
+declare -gr VERSION="Master V8.13.392.2025.11.07"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.384.2025.11.06 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.392.2025.11.07 at: 10:18:37.9542
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. DNSSEC Status
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. TLS Audit:
 ````text
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. Hardened Kernel Boot Parameters
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,12 +8,17 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. Changelog
-## V8.13.384.2025.11.06
+## V8.13.392.2025.11.07
 * **Global**: Changed ``guard_sourcing`` to ``guard_sourcing || return "${ERR_GUARD_SRCE}"``
 * **Added**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh) + ``print_stacktrace`()
 * **Added**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh) + Trap on ``EXIT`` handler for 'non-0' exit-code.
 * **Bugfixes**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + modified passphrase handling
 ## V8.13.384.2025.11.06
 * **Global**: Changed ``shred -vfzu -n 5`` to ``shred -fzu -n 5``.
 * **Global**: Live-hooks: ``apt-get`` commands safeguarded by ``export DEBIAN_FRONTEND="noninteractive" INITRD="No"``.
 * **Added**: [marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc](../.pubkey/marc_s_weidner_msw%2Bdeploy%40coresecet.dev_0x2CCF4601_public.asc)
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. Centurion Net - Developer Branch Overview
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. Coding Style
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. Contributing / participating
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. Credits
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.384.2025.11.06
+Master V8.13.392.2025.11.07
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
@@ -145,7 +145,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
-                        V8.13.384.2025.11.06                        2025-11-06                         CDLB(1)
+                        V8.13.392.2025.11.07                        2025-11-06                         CDLB(1)
 ````
 # 3. Booting
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.384.2025.11.06<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. Resources
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Argument Parser.
--- a/lib/lib_arg_priority_check.sh
+++ b/lib/lib_arg_priority_check.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Check and setup Script Priorities
--- a/lib/lib_boot_screen.sh
+++ b/lib/lib_boot_screen.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Set up a gauge Dialog Wrapper.
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # CISS.debian.installer 'GRUB' and 'autostart' generator.
--- a/lib/lib_change_splash.sh
+++ b/lib/lib_change_splash.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Change Grub Boot Screen Splash
--- a/lib/lib_check_dhcp.sh
+++ b/lib/lib_check_dhcp.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Check if hardened Centurion DNS servers are desired.
--- a/lib/lib_check_hooks.sh
+++ b/lib/lib_check_hooks.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Check and apply 0755 Permissions on every '"${VAR_HANDLER_BUILD_DIR}"/./config/hooks/live/*.chroot'-file.
--- a/lib/lib_check_kernel.sh
+++ b/lib/lib_check_kernel.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Kernel Image Selector
--- a/lib/lib_check_pkgs.sh
+++ b/lib/lib_check_pkgs.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Check for required Deb Packages to run the script.
@@ -43,20 +43,10 @@ check_pkgs() {
  if ! command -v debootstrap >/dev/null 2>&1; then
    if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
      # shellcheck disable=SC2155
      declare codename=$(lsb_release -sc)
      apt-get install -y -t "${codename}-backports" debootstrap
    else
      apt-get install -y debootstrap
  fi
  fi
  if [[ ! -f /usr/share/live/build/VERSION ]]; then
    apt-get install -y live-build
--- a/lib/lib_check_provider.sh
+++ b/lib/lib_check_provider.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Notes Textbox.
--- a/lib/lib_check_stats.sh
+++ b/lib/lib_check_stats.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Check if analysis run is desired only.
--- a/lib/lib_check_var.sh
+++ b/lib/lib_check_var.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Unbound variable check and call trap on 'ERR'.
--- a/lib/lib_ciss_upgrades_boot.sh
+++ b/lib/lib_ciss_upgrades_boot.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Integrates primordial SSH identity- and / or ssh_host-files.
--- a/lib/lib_ciss_upgrades_build.sh
+++ b/lib/lib_ciss_upgrades_build.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Module to update '/usr/lib/live/build/...' scripts.
--- a/lib/lib_clean_screen.sh
+++ b/lib/lib_clean_screen.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Terminal cleaner before Trap on Error
--- a/lib/lib_clean_up.sh
+++ b/lib/lib_clean_up.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Cleanup wrapper on the traps on 'ERR' and 'EXIT'.
--- a/lib/lib_copy_integrity.sh
+++ b/lib/lib_copy_integrity.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Copy Initial ISO aide Database into Host System
--- a/lib/lib_debug.sh
+++ b/lib/lib_debug.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Debugger module for xtrace to debug log.
--- a/lib/lib_debug_header.sh
+++ b/lib/lib_debug_header.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Generates the debug log header.
--- a/lib/lib_gnupg.sh
+++ b/lib/lib_gnupg.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Init GNUPGHOME.
@@ -51,8 +51,20 @@ init_gnupg() {
      # shellcheck disable=SC2174
      mkdir -p -m 0700 "${GNUPGHOME}"
-      echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
+      cat << EOF >> "${GNUPGHOME}/gpg-agent.conf"
-      gpgconf --reload gpg-agent || true
+allow-loopback-pinentry
 pinentry-program /usr/bin/pinentry-tty
 EOF
      gpgconf --kill gpg-agent || true
      if ! gpgconf --launch gpg-agent >/dev/null 2>&1; then
        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ Failed to launch gpg-agent. \e[0m\n"
        umask "${__umask}"
        return "${ERR_GPG__AGENT}"
      fi
    else
@@ -60,14 +72,11 @@ init_gnupg() {
    fi
-    gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
+    ### Use pubring as verification keyring reference.
    shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
    gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}_public.gpg"
    gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums_public.gpg"
    declare -grx VAR_VERIFY_KEYRING="${GNUPGHOME}/pubring.kbx"
    declare -grx VAR_SIGNING_KEY_PASSFILE="${VAR_TMP_SECRET}/${VAR_SIGNING_KEY_PASS}"
    ### No tracing for security reasons ------------------------------------------------------------------------------------------
    [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
@@ -78,6 +87,20 @@ init_gnupg() {
    ### Turn on tracing again ----------------------------------------------------------------------------------------------------
    [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
    if ! gpg --batch --yes --pinentry-mode=loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"; then
      printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ Failed to import signing key. \e[0m\n"
      umask "${__umask}"
      return "${ERR_GPG__AGENT}"
    fi
    shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
    ### Export public key for verification inside ISO / chroot.
    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}_public.gpg"
    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums_public.gpg"
    umask "${__umask}"
    __umask=""
--- a/lib/lib_hardening_root_pw.sh
+++ b/lib/lib_hardening_root_pw.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Updates the Live ISO to use root password authentication for local console access.
--- a/lib/lib_hardening_ssh_tcp.sh
+++ b/lib/lib_hardening_ssh_tcp.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # SSH hardening via TCP wrapper.
--- a/lib/lib_hardening_ultra.sh
+++ b/lib/lib_hardening_ultra.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Module for accompanying all 'CISS.debian.hardening' features into the Live ISO image.
--- a/lib/lib_helper_ip.sh
+++ b/lib/lib_helper_ip.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # IP notation cleaner for pure IP output only.
--- a/lib/lib_lb_build_start.sh
+++ b/lib/lib_lb_build_start.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Wrapper to write a new 'lb config' environment.
--- a/lib/lib_lb_config_start.sh
+++ b/lib/lib_lb_config_start.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Wrapper to write a new 'lb config' environment.
--- a/lib/lib_note_target.sh
+++ b/lib/lib_note_target.sh
@@ -15,13 +15,13 @@
 # Globals:
 #   BASH_SOURCE
 #   SOURCE_DATE_EPOCH
-#   VAR_BASH_VER
+#   VAR_VER_BASH
 #   VAR_DATE_INFO
-#   VAR_DS_VER
+#   VAR_VER_DS
 #   VAR_GIT_REL
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HOST
-#   VAR_LB_VER
+#   VAR_VER_LB
 #   VAR_VERSION
 # Arguments:
 #   None
@@ -43,9 +43,9 @@ note_target() {
  Epoch       : ${SOURCE_DATE_EPOCH}
  Date        : ${VAR_DATE_INFO}
  Host        : ${VAR_HOST}
-  Bash        : ${VAR_BASH_VER}
+  Bash        : ${VAR_VER_BASH}
-  Debootstrap : ${VAR_DS_VER}
+  Debootstrap : ${VAR_VER_DS}
-  Live-Build  : ${VAR_LB_VER}
+  Live-Build  : ${VAR_VER_LB}
  This program is free software. Distribution and modification under
  EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -70,9 +70,9 @@ export CDLB_VERSION="${VAR_VERSION}"
 export CDLB_GIT_REL="${VAR_GIT_REL}"
 export CDLB_CR_DATE="${VAR_DATE_INFO}"
 export CDLB_CR_HOST="${VAR_HOST}"
-export CDLB_BASHVER="${VAR_BASH_VER}"
+export CDLB_BASHVER="${VAR_VER_BASH}"
-export CDLB_DS_VER="${VAR_DS_VER}"
+export CDLB_DS_VER="${VAR_VER_DS}"
-export CDLB_LB_VER="${VAR_LB_VER}"
+export CDLB_LB_VER="${VAR_VER_LB}"
 export CDLB_SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH}"
 EOF
  chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.env"
--- a/lib/lib_primordial.sh
+++ b/lib/lib_primordial.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Integrate primordial SSH identity files.
--- a/lib/lib_provider_netcup.sh
+++ b/lib/lib_provider_netcup.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Module for Netcup static IPv6 address.
--- a/lib/lib_run_analysis.sh
+++ b/lib/lib_run_analysis.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Wrapper for statistic functions of the final build.
--- a/lib/lib_sanitizer.sh
+++ b/lib/lib_sanitizer.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Arguments check wrapper.
--- a/lib/lib_trap_on_err.sh
+++ b/lib/lib_trap_on_err.sh
@@ -10,42 +10,50 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Print Error Message for Trap on 'ERR' in ${ERROR_LOG}
 # Globals:
 #   BASHOPTS
 #   EPOCHREALTIME
 #   ERRCMMD
 #   ERRCODE
 #   ERRFUNC
 #   ERRLINE
 #   ERRSCRT
 #   EUID
 #   LOG_DEBUG
 #   LOG_ERROR
 #   LOG_VAR
 #   SECONDS
 #   SHELLOPTS
 #   UID
 #   VAR_ARG_SANITIZED
 #   VAR_BASH_VER
 #   VAR_DS_VER
 #   VAR_EARLY_DEBUG
 #   VAR_GIT_REL
 #   VAR_LB_VER
 #   VAR_PARAM_COUNT
 #   VAR_PARAM_STRNG
 #   VAR_SYSTEM
 #   VAR_VERSION
 #   VAR_VER_BASH
 #   VAR_VER_DS
 #   VAR_VER_LB
 # Arguments:
 #   None
 #######################################
 print_file_err() {
  {
-    printf "❌ CISS.debian.live.builder Script failed. \n"
+    printf "❌ Trap on 'ERR'          : CISS.debian.live.builder Script failed. \n"
    printf "❌ Git Commit             : %s \n" "${VAR_GIT_REL}"
    printf "❌ Version                : %s \n" "${VAR_VERSION}"
    printf "❌ Epoch                  : %s \n" "${EPOCHREALTIME}"
    printf "❌ Bash                   : %s \n" "${VAR_VER_BASH}"
    printf "❌ Live-Build             : %s \n" "${VAR_VER_LB}"
    printf "❌ Debootstrap            : %s \n" "${VAR_VER_DS}"
    printf "❌ UID                    : %s \n" "${UID}"
    printf "❌ EUID                   : %s \n" "${EUID}"
    printf "❌ Hostsystem             : %s \n" "${VAR_SYSTEM}"
    printf "❌ Bash                   : %s \n" "${VAR_BASH_VER}"
    printf "❌ Live-Build             : %s \n" "${VAR_LB_VER}"
    printf "❌ Debootstrap            : %s \n" "${VAR_DS_VER}"
    printf "❌ Error                  : %s \n" "${ERRCODE}"
    printf "❌ Line                   : %s \n" "${ERRLINE}"
    printf "❌ Script                 : %s \n" "${ERRSCRT}"
@@ -55,6 +63,8 @@ print_file_err() {
    printf "❌ Arguments Counter      : %s \n" "${VAR_PARAM_COUNT}"
    printf "❌ Arguments Original     : %s \n" "${VAR_PARAM_STRNG}"
    printf "❌ Arguments Sanitized    : %s \n" "${VAR_ARG_SANITIZED}"
    printf "❌ Bashopts               : %s \n" "${BASHOPTS}"
    printf "❌ Shellopts              : %s \n" "${SHELLOPTS}"
    if "${VAR_EARLY_DEBUG}"; then
@@ -72,7 +82,7 @@ print_file_err() {
 readonly -f print_file_err
 #######################################
-# Print Error Message for Trap on 'ERR' on Terminal
+# Print Error Message for Trap on 'ERR' on Terminal.
 # Globals:
 #   ERRCMMD
 #   ERRCODE
@@ -84,26 +94,29 @@ readonly -f print_file_err
 #   LOG_VAR
 #   SECONDS
 #   VAR_ARG_SANITIZED
 #   VAR_BASH_VER
 #   VAR_DS_VER
 #   VAR_EARLY_DEBUG
 #   VAR_GIT_REL
 #   VAR_LB_VER
 #   VAR_PARAM_COUNT
 #   VAR_PARAM_STRNG
 #   VAR_SYSTEM
 #   VAR_VERSION
 #   VAR_VER_BASH
 #   VAR_VER_DS
 #   VAR_VER_LB
 # Arguments:
 #   None
 #######################################
 print_scr_err() {
-  printf "\e[91m❌ CISS.debian.live.builder Script failed. \e[0m\n" >&2
+  printf "\e[91m❌ Trap on 'ERR'          : CISS.debian.live.builder Script failed. \e[0m\n" >&2
  printf "\e[91m❌ Git Commit             : %s \e[0m\n" "${VAR_GIT_REL}" >&2
  printf "\e[91m❌ Version                : %s \e[0m\n" "${VAR_VERSION}" >&2
  printf "\e[91m❌ Epoch                  : %s \e[0m\n" "${EPOCHREALTIME}" >&2
  printf "\e[91m❌ Bash                   : %s \e[0m\n" "${VAR_VER_BASH}" >&2
  printf "\e[91m❌ Live-Build             : %s \e[0m\n" "${VAR_VER_LB}" >&2
  printf "\e[91m❌ Debootstrap            : %s \e[0m\n" "${VAR_VER_DS}" >&2
  printf "\e[91m❌ UID                    : %s \e[0m\n" "${UID}" >&2
  printf "\e[91m❌ EUID                   : %s \e[0m\n" "${EUID}" >&2
  printf "\e[91m❌ Hostsystem             : %s \e[0m\n" "${VAR_SYSTEM}" >&2
  printf "\e[91m❌ Bash                   : %s \e[0m\n" "${VAR_BASH_VER}" >&2
  printf "\e[91m❌ Live-Build             : %s \e[0m\n" "${VAR_LB_VER}" >&2
  printf "\e[91m❌ Debootstrap            : %s \e[0m\n" "${VAR_DS_VER}" >&2
  printf "\e[91m❌ Error                  : %s \e[0m\n" "${ERRCODE}" >&2
  printf "\e[91m❌ Line                   : %s \e[0m\n" "${ERRLINE}" >&2
  printf "\e[91m❌ Script                 : %s \e[0m\n" "${ERRSCRT}" >&2
@@ -113,6 +126,8 @@ print_scr_err() {
  printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${VAR_PARAM_COUNT}" >&2
  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${VAR_PARAM_STRNG}" >&2
  printf "\e[91m❌ Arguments Sanitized    : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
  printf "\e[91m❌ Bashopts               : %s \e[0m\n" "${BASHOPTS}" >&2
  printf "\e[91m❌ Shellopts              : %s \e[0m\n" "${SHELLOPTS}" >&2
  printf "\e[91m❌ Error Log saved at     : %s \e[0m\n" "${LOG_ERROR}" >&2
  printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_ERROR}" >&2
@@ -124,7 +139,8 @@ print_scr_err() {
  fi
-  printf "\n"
+  print_stacktrace
  printf "%b" "${NL}"
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
@@ -216,4 +232,49 @@ dump_user_vars() {
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f dump_user_vars
 #######################################
 # Print function() stacktrace.
 # Globals:
 #   BASH_LINENO
 #   BASH_SOURCE
 #   FUNCNAME
 #   LINENO
 #   LOG_ERROR
 #   NL
 #   RED
 #   RES
 # Arguments:
 #   None
 #######################################
 print_stacktrace() {
  declare -i i=0
  printf "%b❌ %b%b" "${RED}" "${RES}" "${NL}"
  printf "❌ %b" "${NL}" >> "${LOG_ERROR}"
  printf "%b❌ Raw Stacktrace         : %b%b" "${RED}" "${RES}" "${NL}"
  printf "❌ Raw Stacktrace         : %b" "${NL}" >> "${LOG_ERROR}"
  for ((i=0; i<${#FUNCNAME[@]}-1; i++)); do
    if (( i == 0 )); then
      printf "%b❌   ➥ %s() at: [%s:%s] %b%b" "${RED}" "${FUNCNAME[i]}" "${BASH_SOURCE[i]}" "${LINENO:-?}" "${RES}" "${NL}"
      printf "❌   ➥ %s() at: [%s:%s] %b" "${FUNCNAME[i]}" "${BASH_SOURCE[i]}" "${LINENO:-?}" "${NL}" >> "${LOG_ERROR}"
    else
      printf "%b❌   ➥ %s() at: [%s:%s] %b%b" "${RED}" "${FUNCNAME[i]}" "${BASH_SOURCE[i]}" "${BASH_LINENO[i-1]:-?}" "${RES}" "${NL}"
      printf "❌   ➥ %s() at: [%s:%s] %b" "${FUNCNAME[i]}" "${BASH_SOURCE[i]}" "${BASH_LINENO[i-1]:-?}" "${NL}" >> "${LOG_ERROR}"
    fi
  done
  printf "%b" "${NL}"
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f print_stacktrace
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_trap_on_exit.sh
+++ b/lib/lib_trap_on_exit.sh
@@ -10,33 +10,60 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Trap function to be called on 'EXIT'.
 # Globals:
 #   ERRCMMD
 #   ERRCODE
 #   ERRFUNC
 #   ERRLINE
 #   ERRSCRT
 #   ERRTRAP
 #   VAR_EARLY_DEBUG
 # Arguments:
 #   1: $?
 #   2: ${BASH_SOURCE[0]}
 #   3: ${LINENO}
 #   4: ${FUNCNAME[0]:-main}
 #   5: ${BASH_COMMAND}
 #######################################
 trap_on_exit() {
  declare errcode="${ERRCODE:-$1}"
  declare errscrt="${ERRSCRT:-$2}"
  declare errline="${ERRLINE:-$3}"
  declare errfunc="${ERRFUNC:-$4}"
  declare errcmmd="${ERRCMMD:-$5}"
  trap - DEBUG ERR EXIT INT TERM
-  declare -r var_trap_on_exit_code="$1"
+  ### Defensive shell behavior inside trap.
  set +e +o pipefail
-  if (( var_trap_on_exit_code == 0 )); then
+  if (( errcode == 0 )); then
    if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
-    clean_up "${var_trap_on_exit_code}"
+    clean_up "${errcode}"
-    print_scr_exit "${var_trap_on_exit_code}"
+    print_scr_exit "${errcode}"
-    exit "${var_trap_on_exit_code}"
+    exit "${errcode}"
  else
-    exit "${var_trap_on_exit_code}"
+    if [[ ! "${ERRTRAP}" == "true" ]]; then
      if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
      clean_up "${errcode}"
      print_scr_exit_non_zero "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
    fi
    exit "${errcode}"
  fi
 }
@@ -45,22 +72,22 @@ trap_on_exit() {
 readonly -f trap_on_exit
 #######################################
-# Print Success Message for Trap on 'EXIT' on 'stdout'.
+# Print success message for trap on 'EXIT' on 'stdout'.
 # Globals:
 #   LOG_DEBUG
 #   LOG_VAR
 #   SECONDS
 #   VAR_BASH_VER
 #   VAR_DS_VER
 #   VAR_EARLY_DEBUG
 #   VAR_GIT_REL
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_LB_VER
 #   VAR_SCRIPT_SUCCESS
 #   VAR_SYSTEM
 #   VAR_VERSION
 #   VAR_VER_BASH
 #   VAR_VER_DS
 #   VAR_VER_LB
 # Arguments:
-#   1: ${var_trap_on_exit_code} of trap_on_exit()
+#   1: ${errcode} of trap_on_exit()
 #######################################
 print_scr_exit() {
  declare -r var_print_scr_exit_code="$1"
@@ -74,9 +101,9 @@ print_scr_exit() {
      printf "\e[92m✅ Git Commit             : %s \e[0m\n" "${VAR_GIT_REL}"
      printf "\e[92m✅ Version                : %s \e[0m\n" "${VAR_VERSION}"
      printf "\e[92m✅ Hostsystem             : %s \e[0m\n" "${VAR_SYSTEM}"
-      printf "\e[92m✅ Bash                   : %s \e[0m\n" "${VAR_BASH_VER}"
+      printf "\e[92m✅ Bash                   : %s \e[0m\n" "${VAR_VER_BASH}"
-      printf "\e[92m✅ Live-Build             : %s \e[0m\n" "${VAR_LB_VER}"
+      printf "\e[92m✅ Live-Build             : %s \e[0m\n" "${VAR_VER_LB}"
-      printf "\e[92m✅ Debootstrap            : %s \e[0m\n" "${VAR_DS_VER}"
+      printf "\e[92m✅ Debootstrap            : %s \e[0m\n" "${VAR_VER_DS}"
      printf "\e[92m✅ Aide Initial DB at     : %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/"
      printf "\e[92m✅ Exited with Status     : %s \e[0m\n" "${var_print_scr_exit_code}"
      printf "\n"
@@ -102,4 +129,86 @@ print_scr_exit() {
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f print_scr_exit
 #######################################
 # Trap on 'EXIT' handler for 'non-0' exit-code.
 # Globals:
 #   BASHOPTS
 #   EPOCHREALTIME
 #   ERRCMMD
 #   ERRCODE
 #   ERRFUNC
 #   ERRLINE
 #   ERRSCRT
 #   EUID
 #   LOG_DEBUG
 #   LOG_ERROR
 #   LOG_VAR
 #   NL
 #   SECONDS
 #   SHELLOPTS
 #   UID
 #   VAR_ARG_SANITIZED
 #   VAR_EARLY_DEBUG
 #   VAR_GIT_REL
 #   VAR_PARAM_COUNT
 #   VAR_PARAM_STRNG
 #   VAR_SYSTEM
 #   VAR_VERSION
 #   VAR_VER_BASH
 #   VAR_VER_DS
 #   VAR_VER_LB
 # Arguments:
 #   1: $?
 #   2: ${BASH_SOURCE[0]}
 #   3: ${LINENO}
 #   4: ${FUNCNAME[0]:-main}
 #   5: ${BASH_COMMAND}
 #######################################
 print_scr_exit_non_zero() {
  declare errcode="${ERRCODE:-$1}"
  declare errscrt="${ERRSCRT:-$2}"
  declare errline="${ERRLINE:-$3}"
  declare errfunc="${ERRFUNC:-$4}"
  declare errcmmd="${ERRCMMD:-$5}"
  printf "\e[91m❌ Trap on 'EXIT'         : CISS.debian.live.builder Script failed. \e[0m\n" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌                        : This was most probably caused by an unbound variable. \e[0m\n" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Git Commit             : %s \e[0m\n" "${VAR_GIT_REL}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Version                : %s \e[0m\n" "${VAR_VERSION}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Epoch                  : %s \e[0m\n" "${EPOCHREALTIME}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Bash                   : %s \e[0m\n" "${VAR_VER_BASH}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Live-Build             : %s \e[0m\n" "${VAR_VER_LB}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Debootstrap            : %s \e[0m\n" "${VAR_VER_DS}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ UID                    : %s \e[0m\n" "${UID}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ EUID                   : %s \e[0m\n" "${EUID}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Hostsystem             : %s \e[0m\n" "${VAR_SYSTEM}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Error                  : %s \e[0m\n" "${errcode}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Line                   : %s \e[0m\n" "${errline}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Script                 : %s \e[0m\n" "${errscrt}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Function               : %s \e[0m\n" "${errfunc}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Command                : %s \e[0m\n" "${errcmmd}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Script Runtime         : %s \e[0m\n" "${SECONDS}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${VAR_PARAM_COUNT}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${VAR_PARAM_STRNG}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Arguments Sanitized    : %s \e[0m\n" "${VAR_ARG_SANITIZED}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Bashopts               : %s \e[0m\n" "${BASHOPTS}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Shellopts              : %s \e[0m\n" "${SHELLOPTS}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ Error Log saved at     : %s \e[0m\n" "${LOG_ERROR}" | tee -a "${LOG_ERROR}"
  printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_ERROR}" | tee -a "${LOG_ERROR}"
  if "${VAR_EARLY_DEBUG}"; then
    printf "\e[91m❌ Vars Dump saved at     : %s \e[0m\n" "${LOG_VAR}" | tee -a "${LOG_ERROR}"
    printf "\e[91m❌ Debug Log saved at     : %s \e[0m\n" "${LOG_DEBUG}" | tee -a "${LOG_ERROR}"
    printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_DEBUG}" | tee -a "${LOG_ERROR}"
  fi
  print_stacktrace
  printf "%b" "${NL}"
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f print_scr_exit_non_zero
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -39,13 +39,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.384.2025.11.06                        2025-11-06                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.392.2025.11.07                        2025-11-06                         CDLB(1)" "${var_cols}")
  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.384.2025.11.06\e[0m"
+    echo -e "\e[92mMaster V8.13.392.2025.11.07\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
--- a/lib/lib_version.sh
+++ b/lib/lib_version.sh
@@ -13,7 +13,7 @@
 #######################################
 # Version module 'CISS.debian.live.builder'.
 # Globals:
-#   VAR_BASH_VER
+#   VAR_VER_BASH
 #   VAR_GIT_REL
 #   VAR_HOST
 #   VAR_VERSION
@@ -43,7 +43,7 @@ $(echo -e "\e[97m###############################################################
  Using   : lb (${VAR_VER_LB}) debootstrap (${VAR_VER_DS})
  on      : ${VAR_HOST}
-  Bash    : ${VAR_BASH_VER}
+  Bash    : ${VAR_VER_BASH}
 EOF
--- a/scripts/usr/local/sbin/9999-cdi-starter
+++ b/scripts/usr/local/sbin/9999-cdi-starter
@@ -127,7 +127,7 @@ main() {
  # shellcheck disable=SC2312
  exec > >(tee -a "${var_log}") 2>&1
-  printf "CISS.debian.installer Master V8.13.384.2025.11.06 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.392.2025.11.07 is up! \n" >> "${var_log}"
  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -182,7 +182,7 @@ main() {
  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.384.2025.11.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.392.2025.11.07: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
  exit 0
 }
--- a/var/bash.var.sh
+++ b/var/bash.var.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
 set -o errexit           # Exit script when a command exits with non-zero status, the same as "set -e".
--- a/var/color.var.sh
+++ b/var/color.var.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 ### Definition of color variables.
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -13,14 +13,6 @@
 ### Definition of MUST set early variables.
 # shellcheck disable=SC2155
 declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4
  if (NF >= 5) out = out " " $5
  if (NF >= 6) out = out " " $6
  print out
 }')"
 declare -grx VAR_CONTACT="security@coresecret.eu"
 declare -grx VAR_DATE="$(date +%F)"
 declare -grx VAR_DATE_EPOCH="$(date -u +%s)"
@@ -33,7 +25,14 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.384.2025.11.06"
+declare -grx VAR_VERSION="Master V8.13.392.2025.11.07"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4
  if (NF >= 5) out = out " " $5
  if (NF >= 6) out = out " " $6
  print out
 }')"
 declare -grx VAR_VER_DS="$(debootstrap --version)"
 declare -grx VAR_VER_LB="$(lb -v)"
 declare -gx  APT_LISTCHANGES_FRONTEND="none"
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 # shellcheck disable=SC2155,SC2034
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 ### Definition of MUST set global variables.
 declare -gr VAR_KERNEL_INF="$(mktemp)"
@@ -55,11 +55,26 @@ declare -gx VAR_SIGNING_KEY_PASS=""
 declare -gx VAR_SIGNING_KEY_PASSFILE=""
 declare -gx VAR_SIGNING_KEY=""
-### Definition of error codes
+### Definition of color variables.
 declare -grx BLA='\e[90m' # Beautiful black for the techno fans.
 declare -grx RED='\e[91m' # Bright red.
 declare -grx GRE='\e[92m' # Vibrant green.
 declare -grx YEL='\e[93m' # Fancy yellow
 declare -grx BLU='\e[94m' # Organic blue.
 declare -grx MAG='\e[95m' # Super gay magenta.
 declare -grx CYA='\e[96m' # Lovely cyan.
 declare -grx WHI='\e[97m' # Fantastic color mix.
 declare -grx RES='\e[0m'  # Forget everything.
 declare -grx TAB='\t'     # Insert a fresh tabulator.
 declare -grx NL='\n'      # Print a crystal clear new line.
 ### Definition of error codes.
 declare -gir ERR_UNCRITICAL=127
 declare -gir ERR_NOT_USER_0=128 # Not running as root
 declare -gir ERR_FLOCK_WRTG=129 # Cannot open lockfile for writing
 declare -gir ERR_FLOCK_COLL=130 # The Script is already running
 declare -gir ERR_GUARD_SRCE=131 # Module tried to load twice.
 declare -gir ERR_GPG__AGENT=132 # GNUPG agent error.
 declare -gir ERR_SPLASH_PNG=200 # --change-splash MUST be 'club' or 'hexagon'
 declare -gir ERR_CONTROL_CT=201 # --control MUST be an integer between '1' and '65535'
 declare -gir ERR_RENICE_PRI=202 # --renice-priority MUST an integer between '-19' and '19'